What is HTTPS and how can we use it to improve rankings?

Posted on

Google’s announcement that it’s making HTTPS a ranking factor shows the importance of security and secure websites, and is encouraging webmasters to start using it, too. So, what is HTTPS, why is it important, and what steps do you need to take to move your website to it?

iStock_000049949774_Large.jpg

HTTPS and SSL - An overview

What is HTTPS?

Hypertext Transfer Protocol Secure (HTTPS) is a protocol that allows for secure communication over a network. More precisely, it is the result of layering one protocol, the Hypertext Transfer Protocol (HTTP), on top of another - the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol. A communications protocol is simply a set of rules that define the way in which data and information is exchanged between machines over a network. Essentially, protocols specify how machines should communicate with one another.

SSL is the most widely-used security protocol. It establishes a secure connection between two machines over a network - the internet, for example, or an internal network - so that data exchanged between them stays confidential.

How does SSL work?

SSL uses certificates, which encrypt information sent to and from websites. These certificates are in the form of small files of data, which, once installed on a server, activate the HTTPS protocol. This encryption protects a user against unauthorised third parties snooping on their data, or gathering information about their activities. Since the data is encrypted, only the user and the computer with which they are interacting will know what has been exchanged,and the data will remain safe.

A website using an HTTPS connection will be accessible from the URL https://www.website.com, and a green bar with a lock will  also appear in the address bar, as in the picture below. This shows users that the connection is secure.

Twitter uses HTTPS

Why is it important?

It is particularly important if your website allows users to log in, sign up to a service, fill out a contact form, or send confidential information (for example, credit card details) over the internet. It ensures that this information does not get into the wrong hands. Furthermore, as Google is now giving higher rankings to sites running over HTTPS, it’s important for SEO purposes, as well.

Google has already started using HTTPS for its Search, Gmail, and Drive services, and is suggesting webmasters do the same for their websites.

What do you need to do?

Now that we’ve outlined the importance and benefits of a secure connection, you might want to think about moving your site to HTTPS. Whether you are the owner or a website, a marketer, or a developer, read on to find out how easy it is to make the move.

Moving your website to HTTPS and purchasing a SSL certificate 

Previously, we discussed HTTPS and SSL certificates: what they are and why they are important. Now, we will go through the steps involved in moving to HTTPS in order to benefit from a secure connection. Let’s start with obtaining an SSL certificate.

Who is involved?

You, certificate authority, web developer

What do you need to do?

Firstly, you should consider which certificate you need for your business and website, before purchasing one from a certificate authority. A certificate authority is an organisation that issues digital certificates. Following this, there is a process of validating the domain and confirming your identity.

SSL certificates come in various forms, and you will have to decide on the one that is best suited to your needs. This might depend on the sort of business you have, how much you are willing to spend, or the features that you need. A small, local business will have different needs to a well-established multinational, and those with multiple subdomains might need a different certificate to those wishing to cover several domains.

The types of certificates available are outlined below. They can be grouped by validation level or number of domains you wish to secure:

Domain:

Single - protects a single subdomain, e.g. www.your-site.com

Wildcard - protects an unlimited number of subdomains for a single domain, e.g. example.your-site.com (note: you cannot get an organisation or extended SSL certificate with this - see below.)

Multi-domain - protects a number of different domains with a single certificate.

Validation level:

Domain Validated - verifies that the domain is registered and that someone with administrator rights has approved the request for a certificate. Validation is usually done by email.

Organisation - validates that you own the domain, as well as information about the organisation. Requires documentation that verifies that you are the owner.

Extended - requires a longer, more comprehensive vetting process. This type of certificate validates:

  • that you own the domain;

  • information about your organisation; and

  • the legal existence of your business.

With this certificate, the company name appears in the address bar in green, which gives your visitors even more reassurance.

The length of the validation process (a few hours to a few weeks) depends on the type of certificate purchased and the methods involved.

You will also have to generate a Certificate Signing Request (CSR) on the server on which the certificate will be used. Your developer can help you with this part.

A CSR is an encrypted file that contains information such as your business name, domain name, and country. When you generate a CSR, you will also create a private/public key pair for encrypting and decrypting information. The public key will be contained in the file, but the private key will need to be kept by you - make sure you don’t lose this!

The security level of the certificate is determined by the bit length you select for the key. The higher the bit length, the higher the level of security provided. For this reason, Google has suggested using 2048 bits.

Once this has been completed, you are ready to install the certificate! Next, we will look at how this is done.

Installing and configurating a SSL certificate

Once you have purchased your certificate and have received the files, you will need to install them. Typically, these will be sent to you via email, or be made available to download.

Who is involved?

Web developer

What do you need to do?

The SSL certificate(s) will need to be installed in a folder on your web server in order for the HTTPS protocol to be activated. If you buy your certificate from a hosting company, it might be able to do this for you, or it can be implemented by your developer.

The step first requires moving the files onto the server, before configuring some settings.

There are different web servers in existence, and you will need to approach this part in a different way depending on the type that serves your website. Instructions for two of these are outlined below.

Apache

Navigate to the Apache config file. The location of this can vary depending on the server, but it is usually found in the /etc/httpd folder, and is usually named ‘httpd.conf’.

Within this file, locate the <VirtualHost> block. It is usually found in the config file, but it might be located in a separate file called ssl.conf.

Uncomment (i.e. remove the ‘#’ symbol from) the following line:

Include conf/extras/httpd-ssl.conf

In the VirtualHost block, you will need to fill out the information accordingly. Make sure you change the port number from 80 to 443, and add the correct paths to your keys and certificate.

Below is an example:

<VirtualHost 192.168.0.1:443>

DocumentRoot /var/www/html2
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/DigiCertCA.crt

</VirtualHost>

IIS

Microsoft offers a good tutorial on how to achieve this with IIS.

Redirecting

In this part, we will examine an important aspect of moving any website: redirection. When you move a website, whether onto HTTPS or from one domain to another, you will need to let the browser know to redirect the user from the old site to the new site. With regards to HTTPS, you would want users to land on the secure version of your website.

Who is involved?

Web developer

What do you need to do?

Once the SSL certificate has been successfully installed, and you are able to navigate to your website using the new URL, you will need to redirect your old URL at http://www.your-website.com to the one running over HTTPS. This ensures that a user navigating to any HTTP pages will be redirected to the URL using a secure connection.

The way this is carried out will, again, depend on the type of server on which your website is running. Your developer will know this information, and will have to do one of the following.

Apache

A simple redirect can be achieved by placing the following code in your .htaccess file:

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

IIS (7 and above)

For IIS servers, you will need to install the Microsoft URL Rewrite Module.

Then, add the following code in your web.config file, between the <rules> and </rules> tags:

<rule name="HTTP to HTTPS redirect" stopProcessing="true">

<match url="(.*)" />

<conditions>

<add input="{HTTPS}" pattern="off" ignoreCase="true" />

</conditions>

<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />

</rule>

Users navigating to the HTTP version of your site will now be redirected to the secure site.

A few more things...

Following these steps, you should now be able to move your website over to HTTPS. As we have seen, using this type of connection not only benefits your website and users by offering security through data encryption, but is now useful from an SEO perspective, as well.

Read More